Configure a Site-to-Site IKEv2 Tunnel Between Two ASAs Using IKEv2 Multiple Key Exchanges (2024)

Introduction

This document describes how to configure a Site-To-Site IKEv2 VPN connection between two Cisco ASAs using IKEv2 Multiple Key Exchanges.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco Adaptive Security Appliance (ASA)
• General IKEv2 Concepts

Components Used

The information in this document is based on theCisco ASAs running 9.20.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Limitations

The IKEv2 Multiple Key Exchange has these limitations:

• Supported on the ASA CLI only
• Supported on Multi-Contexted and HA devices
• Not supported on Clustered devices

Licensing

The licensing requirements are the same as for Site-to-Site VPN on the ASAs.

Background Information

Need for Additional Key Exchanges

The arrival of big quantum computers poses a big risk to security systems, especially those using public-key cryptography. Cryptographic methods that were thought to be very hard for regular computers can be broken easily by quantum computers. So, the need arises to switch to new, quantum-resistant methods, also called post-quantum cryptography (PQC) algorithms. The aim is to enhance the security of IPsec communication by using multiple key exchanges. This involves combining a traditional key exchange with a post-quantum one. This approach ensures that the resulting exchange is at least as strong as the traditional key exchange, providing an added layer of security.

The plan is to improve IKEv2 by adding support for multiple key exchanges. These extra key exchanges can handle algorithms that are safe from quantum threats. To exchange information about these additional keys, a new message type called Intermediate Exchange is introduced. These key exchanges are negotiated using the regular IKEv2 method, through the SA payload.

Configure

This section describes the ASA configurations.

Network Diagram

The information in this document uses this network setup:

ASA Configuration

Configure the ASA Interfaces

If the ASA interfaces are not configured, ensure that you configure at least the IP addresses, interface names, and security levels:

interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 10.10.10.10 255.255.255.0!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.0.1 255.255.255.0

Configure the IKEv2 Policy with Multiple Key Exchange and Enable IKEv2 on the Outside Interface

In order to configure the IKEv2 policies for these connections, enter these commands:

crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 20 prf sha256 lifetime seconds 86400

Additional key exchange transforms can be configured under crypto ikev2 policyusing the additional-key-exchangecommand. A total of seven additional exchange transforms can be configured. In this example,two additional exchange transforms have been configured (using DH groups 21 and 31).

 additional-key-exchange 1 key-exchange-method 21 additional-key-exchange 2 key-exchange-method 31

The final IKEv2 policy looks like this:

crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 20 prf sha256 lifetime seconds 86400 additional-key-exchange 1 key-exchange-method 21 additional-key-exchange 2 key-exchange-method 31

You must enable IKEv2 on the interface that terminates the VPN tunnel. Typically, this is the outside (or internet) interface. In order to enable IKEv2, enter the crypto ikev2 enable outside command in global configuration mode.

Configure the Tunnel Group

For a Site-to-Site tunnel, the connection profile type is IPSec-l2l. In order to configure the IKEv2 preshared key, enter these commands:

tunnel-group 10.20.20.20 type ipsec-l2l
tunnel-group 10.20.20.20 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco
 ikev2 local-authentication pre-shared-key cisco

Configure Interesting Traffic and Crypto ACL

The ASA uses Access Control Lists (ACLs) in order to differentiate the traffic that must be protected with IPSec encryption from the traffic that does not require protection. It protects the outbound packets that match a permit Application Control Engine (ACE) and ensures that the inbound packets that match a permit ACE have protection.

object-group network local-network network-object 192.168.0.0 255.255.255.0object-group network remote-network network-object 172.16.10.0 255.255.255.0

access-list asa-vpn extended permit ip object-group local-network object-group remote-network

Configure an Identity NAT (Optional)

Typically, an identity NAT is needed in order to prevent the interesting traffic from hitting the dynamic NAT. The Identity NAT that is configured in this case is:

nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

Configure the IKEv2 IPSec Proposal

The IKEv2 IPSec Proposal is used to define a set of encryption and integrity algorithms in order to protect the data traffic. This proposal must match both VPN Peers in order to build an IPSec SA successfully. The commands used in this case are:

crypto ipsec ikev2 ipsec-proposal IKEV2_TSET
 protocol esp encryption aes-256
 protocol esp integrity sha-256

Configure a Crypto Map and Bind it to the Interface

A crypto map combines all the required configurations and must necessarily contain:

• An access list to match the traffic that must be encrypted (commonly referred to as Crypto ACL)
• Peer Identification
• At least one IKEv2 IPSec Proposal

The configuration used here is:

crypto map outside_map 1 match address asa-vpncrypto map outside_map 1 set peer 10.20.20.20crypto map outside_map 1 set ikev2 ipsec-proposal IKEV2_TSET

The final part is applying this crypto map to the outside (public) interface using thecrypto map outside_map interface outside command.

Local ASA Final Configuration

interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.10.10.10 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 !crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 20 prf sha256 lifetime seconds 86400 additional-key-exchange 1 key-exchange-method 21 additional-key-exchange 2 key-exchange-method 31!crypto ikev2 enable outside!tunnel-group 10.20.20.20 type ipsec-l2ltunnel-group 10.20.20.20 ipsec-attributes ikev2 remote-authentication pre-shared-key cisco ikev2 local-authentication pre-shared-key cisco!object-group network local-network network-object 192.168.0.0 255.255.255.0!object-group network remote-network network-object 172.16.10.0 255.255.255.0!access-list asa-vpn extended permit ip object-group local-network object-group remote-network!nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup!crypto ipsec ikev2 ipsec-proposal IKEV2_TSET protocol esp encryption aes-256 protocol esp integrity sha-256!crypto map outside_map 1 match address asa-vpncrypto map outside_map 1 set peer 10.20.20.20 crypto map outside_map 1 set ikev2 ipsec-proposal IKEV2_TSET!crypto map outside_map interface outside

Remote ASA Final Configuration

interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 10.20.20.20 255.255.255.0!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 172.16.10.1 255.255.255.0!crypto ikev2 policy 10encryption aes-256integrity sha256group 20prf sha256lifetime seconds 86400additional-key-exchange 1key-exchange-method 21additional-key-exchange 2key-exchange-method 31!crypto ikev2 enable outside!tunnel-group 10.10.10.10 type ipsec-l2ltunnel-group 10.10.10.10 ipsec-attributesikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key cisco!object-group network local-networknetwork-object 172.16.10.0 255.255.255.0!object-group network remote-networknetwork-object 192.168.0.0 255.255.255.0!access-list asa-vpn extended permit ip object-group local-network object-group remote-network!nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup!crypto ipsec ikev2 ipsec-proposal IKEV2_TSETprotocol esp encryption aes-256protocol esp integrity sha-256!crypto map outside_map 1 match address asa-vpncrypto map outside_map 1 set peer 10.10.10.10crypto map outside_map 1 set ikev2 ipsec-proposal IKEV2_TSET!crypto map outside_map interface outside

Verify

Before you verify if the tunnel is up and that it is passing the traffic, you must ensure that interesting traffic is being sent to the ASAs.

In order to validate the additional key exchanges, you can use theshow crypto ikev2 sa command. As seen in the output, you can check the AKE parameters in order to validate the selected exchange algorithms.

Local-ASA# show crypto ikev2 saIKEv2 SAs:Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1Tunnel-id Local Remote fvrf/ivrf Status Role 246015 10.10.10.10/500 10.20.20.20/500 READY INITIATOR Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:20, Auth sign: PSK, Auth verify: PSK Additional Key Exchange Group: AKE1: 21 AKE2: 31 Life/Active Time: 86400/7 secChild sa: local selector 192.168.0.0/0 - 192.168.0.255/65535 remote selector 172.16.10.0/0 - 172.16.10.255/65535 ESP spi in/out: 0xf41ca3b5/0xda0e693b 

Troubleshoot

The mentioned debugs can be used to troubleshoot the IKEv2 tunnel:

debug crypto ikev2 protocol 127debug crypto ikev2 platform 127